| Message ID | 20210107100337.45293-5-elly.siew.chin.lim@intel.com |
|---|---|
| State | Superseded |
| Delegated to: | Simon Goldschmidt |
| Headers | show |
| Series | Add Vendor Authorized Boot (VAB) support | expand |
On Thu, 7 Jan 2021 at 03:03, Siew Chin Lim <elly.siew.chin.lim@intel.com> wrote: > > FIT image of Vendor Authentication Coot (VAB) contains signed images. > > Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com> > --- > arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi | 22 ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) > I'm not quite sure what is happening here, but consider using two separate files rather than what looks like a patch over an existing one. > diff --git a/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi b/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi > index cf365590a8..4b30473743 100644 > --- a/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi > +++ b/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi > @@ -117,4 +117,26 @@ > }; > }; > > +#if defined(CONFIG_SOCFPGA_SECURE_VAB_AUTH) > +&uboot_blob { > + filename = "signed-u-boot-nodtb.bin"; > +}; > + > +&atf_blob { > + filename = "signed-bl31.bin"; > +}; > + > +&uboot_fdt_blob { > + filename = "signed-u-boot.dtb"; > +}; > + > +&kernel_blob { > + filename = "signed-Image"; > +}; > + > +&kernel_fdt_blob { > + filename = "signed-linux.dtb"; > +}; > +#endif > + > #endif > -- > 2.13.0 >
Hi Simon, > -----Original Message----- > From: Simon Glass <sjg@chromium.org> > Sent: Thursday, January 7, 2021 8:37 PM > To: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > Cc: U-Boot Mailing List <u-boot@lists.denx.de>; Marek Vasut > <marex@denx.de>; Tan, Ley Foon <ley.foon.tan@intel.com>; See, Chin Liang > <chin.liang.see@intel.com>; Simon Goldschmidt > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > <tien.fong.chee@intel.com>; Westergreen, Dalon > <dalon.westergreen@intel.com>; Gan, Yau Wai <yau.wai.gan@intel.com> > Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename in binman node > of FIT image with VAB support > > On Thu, 7 Jan 2021 at 03:03, Siew Chin Lim <elly.siew.chin.lim@intel.com> > wrote: > > > > FIT image of Vendor Authentication Coot (VAB) contains signed images. > > > > Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com> > > --- > > arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi | 22 > > ++++++++++++++++++++++ > > 1 file changed, 22 insertions(+) > > > > I'm not quite sure what is happening here, but consider using two separate files > rather than what looks like a patch over an existing one. > There are two boot flow will use binman (socfpga_soc64_fit-u-boot.dtsi) to generate u-boot.fit and kernel.fit: 1. socfpga_agilex_atf_defconfig (boot via ATF) 2. socfpga_agilex_vab_defconfig (boot via ATF with VAB enabled, support authentication on bl31, u-boot, Linux images) The binman node settings are the same for both flows. With VAB enabled, all inputs file need to be signed before generate FIT image. We would like to use different input file name to remind user that they need to sign all bl31, u-boot, Linux images when using binman to generate FIT image. Due to the binman node settings are identical and only the file name need to be different, so we prefer to share the same socfpga_soc64_fit-u-boot.dtsi for both flows. Thanks, Siew Chin > > > > diff --git a/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi > > b/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi > > index cf365590a8..4b30473743 100644 > > --- a/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi > > +++ b/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi > > @@ -117,4 +117,26 @@ > > }; > > }; > > > > +#if defined(CONFIG_SOCFPGA_SECURE_VAB_AUTH) > > +&uboot_blob { > > + filename = "signed-u-boot-nodtb.bin"; }; > > + > > +&atf_blob { > > + filename = "signed-bl31.bin"; > > +}; > > + > > +&uboot_fdt_blob { > > + filename = "signed-u-boot.dtb"; }; > > + > > +&kernel_blob { > > + filename = "signed-Image"; > > +}; > > + > > +&kernel_fdt_blob { > > + filename = "signed-linux.dtb"; }; #endif > > + > > #endif > > -- > > 2.13.0 > >
Hi Siew Chin, On Thu, 7 Jan 2021 at 07:13, Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> wrote: > > Hi Simon, > > > -----Original Message----- > > From: Simon Glass <sjg@chromium.org> > > Sent: Thursday, January 7, 2021 8:37 PM > > To: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > > Cc: U-Boot Mailing List <u-boot@lists.denx.de>; Marek Vasut > > <marex@denx.de>; Tan, Ley Foon <ley.foon.tan@intel.com>; See, Chin Liang > > <chin.liang.see@intel.com>; Simon Goldschmidt > > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > > <tien.fong.chee@intel.com>; Westergreen, Dalon > > <dalon.westergreen@intel.com>; Gan, Yau Wai <yau.wai.gan@intel.com> > > Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename in binman node > > of FIT image with VAB support > > > > On Thu, 7 Jan 2021 at 03:03, Siew Chin Lim <elly.siew.chin.lim@intel.com> > > wrote: > > > > > > FIT image of Vendor Authentication Coot (VAB) contains signed images. > > > > > > Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com> > > > --- > > > arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi | 22 > > > ++++++++++++++++++++++ > > > 1 file changed, 22 insertions(+) > > > > > > > I'm not quite sure what is happening here, but consider using two separate files > > rather than what looks like a patch over an existing one. > > > > There are two boot flow will use binman (socfpga_soc64_fit-u-boot.dtsi) to generate u-boot.fit and kernel.fit: > 1. socfpga_agilex_atf_defconfig (boot via ATF) > 2. socfpga_agilex_vab_defconfig (boot via ATF with VAB enabled, support authentication on bl31, u-boot, Linux images) > > The binman node settings are the same for both flows. With VAB enabled, all inputs file need to be signed before generate FIT image. We would like to use different input file name to remind user that they need to sign all bl31, u-boot, Linux images when using binman to generate FIT image. > > Due to the binman node settings are identical and only the file name need to be different, so we prefer to share the same socfpga_soc64_fit-u-boot.dtsi for both flows. Reviewed-by: Simon Glass <sjg@chromium.org> OK I see. Who does the signing of the inputs? Is that something binman could/should do? Regards, Simon
Hi Simon, > -----Original Message----- > From: Simon Glass <sjg@chromium.org> > Sent: Friday, January 8, 2021 12:22 AM > To: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > Cc: U-Boot Mailing List <u-boot@lists.denx.de>; Marek Vasut > <marex@denx.de>; Tan, Ley Foon <ley.foon.tan@intel.com>; See, Chin Liang > <chin.liang.see@intel.com>; Simon Goldschmidt > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > <tien.fong.chee@intel.com>; Westergreen, Dalon > <dalon.westergreen@intel.com>; Gan, Yau Wai <yau.wai.gan@intel.com> > Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename in binman node > of FIT image with VAB support > > Hi Siew Chin, > > On Thu, 7 Jan 2021 at 07:13, Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > wrote: > > > > Hi Simon, > > > > > -----Original Message----- > > > From: Simon Glass <sjg@chromium.org> > > > Sent: Thursday, January 7, 2021 8:37 PM > > > To: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > > > Cc: U-Boot Mailing List <u-boot@lists.denx.de>; Marek Vasut > > > <marex@denx.de>; Tan, Ley Foon <ley.foon.tan@intel.com>; See, Chin > > > Liang <chin.liang.see@intel.com>; Simon Goldschmidt > > > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > > > <tien.fong.chee@intel.com>; Westergreen, Dalon > > > <dalon.westergreen@intel.com>; Gan, Yau Wai <yau.wai.gan@intel.com> > > > Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename in > > > binman node of FIT image with VAB support > > > > > > On Thu, 7 Jan 2021 at 03:03, Siew Chin Lim > > > <elly.siew.chin.lim@intel.com> > > > wrote: > > > > > > > > FIT image of Vendor Authentication Coot (VAB) contains signed images. > > > > > > > > Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com> > > > > --- > > > > arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi | 22 > > > > ++++++++++++++++++++++ > > > > 1 file changed, 22 insertions(+) > > > > > > > > > > I'm not quite sure what is happening here, but consider using two > > > separate files rather than what looks like a patch over an existing one. > > > > > > > There are two boot flow will use binman (socfpga_soc64_fit-u-boot.dtsi) to > generate u-boot.fit and kernel.fit: > > 1. socfpga_agilex_atf_defconfig (boot via ATF) > > 2. socfpga_agilex_vab_defconfig (boot via ATF with VAB enabled, > > support authentication on bl31, u-boot, Linux images) > > > > The binman node settings are the same for both flows. With VAB enabled, all > inputs file need to be signed before generate FIT image. We would like to use > different input file name to remind user that they need to sign all bl31, u-boot, > Linux images when using binman to generate FIT image. > > > > Due to the binman node settings are identical and only the file name need to > be different, so we prefer to share the same socfpga_soc64_fit-u-boot.dtsi for > both flows. > > Reviewed-by: Simon Glass <sjg@chromium.org> > > OK I see. > > Who does the signing of the inputs? Is that something binman could/should do? In our case, we will provide user Intel proprietary tools to sign the image, and we have our signature format. User need to follow the steps and sign the Images, and call binman to convert into FIT image. I think maybe it is not suitable to incorporate any external proprietary tools into binman. Thanks, Siew Chin > > Regards, > Simon
Hi Slew Elly, On Thu, 7 Jan 2021 at 17:57, Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> wrote: > > Hi Simon, > > > -----Original Message----- > > From: Simon Glass <sjg@chromium.org> > > Sent: Friday, January 8, 2021 12:22 AM > > To: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > > Cc: U-Boot Mailing List <u-boot@lists.denx.de>; Marek Vasut > > <marex@denx.de>; Tan, Ley Foon <ley.foon.tan@intel.com>; See, Chin Liang > > <chin.liang.see@intel.com>; Simon Goldschmidt > > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > > <tien.fong.chee@intel.com>; Westergreen, Dalon > > <dalon.westergreen@intel.com>; Gan, Yau Wai <yau.wai.gan@intel.com> > > Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename in binman node > > of FIT image with VAB support > > > > Hi Siew Chin, > > > > On Thu, 7 Jan 2021 at 07:13, Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > > wrote: > > > > > > Hi Simon, > > > > > > > -----Original Message----- > > > > From: Simon Glass <sjg@chromium.org> > > > > Sent: Thursday, January 7, 2021 8:37 PM > > > > To: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > > > > Cc: U-Boot Mailing List <u-boot@lists.denx.de>; Marek Vasut > > > > <marex@denx.de>; Tan, Ley Foon <ley.foon.tan@intel.com>; See, Chin > > > > Liang <chin.liang.see@intel.com>; Simon Goldschmidt > > > > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > > > > <tien.fong.chee@intel.com>; Westergreen, Dalon > > > > <dalon.westergreen@intel.com>; Gan, Yau Wai <yau.wai.gan@intel.com> > > > > Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename in > > > > binman node of FIT image with VAB support > > > > > > > > On Thu, 7 Jan 2021 at 03:03, Siew Chin Lim > > > > <elly.siew.chin.lim@intel.com> > > > > wrote: > > > > > > > > > > FIT image of Vendor Authentication Coot (VAB) contains signed images. > > > > > > > > > > Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com> > > > > > --- > > > > > arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi | 22 > > > > > ++++++++++++++++++++++ > > > > > 1 file changed, 22 insertions(+) > > > > > > > > > > > > > I'm not quite sure what is happening here, but consider using two > > > > separate files rather than what looks like a patch over an existing one. > > > > > > > > > > There are two boot flow will use binman (socfpga_soc64_fit-u-boot.dtsi) to > > generate u-boot.fit and kernel.fit: > > > 1. socfpga_agilex_atf_defconfig (boot via ATF) > > > 2. socfpga_agilex_vab_defconfig (boot via ATF with VAB enabled, > > > support authentication on bl31, u-boot, Linux images) > > > > > > The binman node settings are the same for both flows. With VAB enabled, all > > inputs file need to be signed before generate FIT image. We would like to use > > different input file name to remind user that they need to sign all bl31, u-boot, > > Linux images when using binman to generate FIT image. > > > > > > Due to the binman node settings are identical and only the file name need to > > be different, so we prefer to share the same socfpga_soc64_fit-u-boot.dtsi for > > both flows. > > > > Reviewed-by: Simon Glass <sjg@chromium.org> > > > > OK I see. > > > > Who does the signing of the inputs? Is that something binman could/should do? > > In our case, we will provide user Intel proprietary tools to sign the image, and we have our signature format. > User need to follow the steps and sign the Images, and call binman to convert into FIT image. > I think maybe it is not suitable to incorporate any external proprietary tools into binman. Possibly, although we already have quite a few. Is the tool secret or can it be downloaded from somewhere? If the latter, see how cbfstool is handled. Regards, Simon
Hi Simon, > -----Original Message----- > From: Simon Glass <sjg@chromium.org> > Sent: Friday, January 8, 2021 11:24 AM > To: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > Cc: U-Boot Mailing List <u-boot@lists.denx.de>; Marek Vasut > <marex@denx.de>; Tan, Ley Foon <ley.foon.tan@intel.com>; See, Chin Liang > <chin.liang.see@intel.com>; Simon Goldschmidt > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > <tien.fong.chee@intel.com>; Westergreen, Dalon > <dalon.westergreen@intel.com>; Gan, Yau Wai <yau.wai.gan@intel.com> > Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename in binman node > of FIT image with VAB support > > Hi Slew Elly, > > On Thu, 7 Jan 2021 at 17:57, Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > wrote: > > > > Hi Simon, > > > > > -----Original Message----- > > > From: Simon Glass <sjg@chromium.org> > > > Sent: Friday, January 8, 2021 12:22 AM > > > To: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > > > Cc: U-Boot Mailing List <u-boot@lists.denx.de>; Marek Vasut > > > <marex@denx.de>; Tan, Ley Foon <ley.foon.tan@intel.com>; See, Chin > > > Liang <chin.liang.see@intel.com>; Simon Goldschmidt > > > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > > > <tien.fong.chee@intel.com>; Westergreen, Dalon > > > <dalon.westergreen@intel.com>; Gan, Yau Wai <yau.wai.gan@intel.com> > > > Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename in > > > binman node of FIT image with VAB support > > > > > > Hi Siew Chin, > > > > > > On Thu, 7 Jan 2021 at 07:13, Lim, Elly Siew Chin > > > <elly.siew.chin.lim@intel.com> > > > wrote: > > > > > > > > Hi Simon, > > > > > > > > > -----Original Message----- > > > > > From: Simon Glass <sjg@chromium.org> > > > > > Sent: Thursday, January 7, 2021 8:37 PM > > > > > To: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > > > > > Cc: U-Boot Mailing List <u-boot@lists.denx.de>; Marek Vasut > > > > > <marex@denx.de>; Tan, Ley Foon <ley.foon.tan@intel.com>; See, > > > > > Chin Liang <chin.liang.see@intel.com>; Simon Goldschmidt > > > > > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > > > > > <tien.fong.chee@intel.com>; Westergreen, Dalon > > > > > <dalon.westergreen@intel.com>; Gan, Yau Wai > > > > > <yau.wai.gan@intel.com> > > > > > Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename > > > > > in binman node of FIT image with VAB support > > > > > > > > > > On Thu, 7 Jan 2021 at 03:03, Siew Chin Lim > > > > > <elly.siew.chin.lim@intel.com> > > > > > wrote: > > > > > > > > > > > > FIT image of Vendor Authentication Coot (VAB) contains signed images. > > > > > > > > > > > > Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com> > > > > > > --- > > > > > > arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi | 22 > > > > > > ++++++++++++++++++++++ > > > > > > 1 file changed, 22 insertions(+) > > > > > > > > > > > > > > > > I'm not quite sure what is happening here, but consider using > > > > > two separate files rather than what looks like a patch over an existing > one. > > > > > > > > > > > > > There are two boot flow will use binman > > > > (socfpga_soc64_fit-u-boot.dtsi) to > > > generate u-boot.fit and kernel.fit: > > > > 1. socfpga_agilex_atf_defconfig (boot via ATF) > > > > 2. socfpga_agilex_vab_defconfig (boot via ATF with VAB > > > > enabled, support authentication on bl31, u-boot, Linux images) > > > > > > > > The binman node settings are the same for both flows. With VAB > > > > enabled, all > > > inputs file need to be signed before generate FIT image. We would > > > like to use different input file name to remind user that they need > > > to sign all bl31, u-boot, Linux images when using binman to generate FIT > image. > > > > > > > > Due to the binman node settings are identical and only the file > > > > name need to > > > be different, so we prefer to share the same > > > socfpga_soc64_fit-u-boot.dtsi for both flows. > > > > > > Reviewed-by: Simon Glass <sjg@chromium.org> > > > > > > OK I see. > > > > > > Who does the signing of the inputs? Is that something binman could/should > do? > > > > In our case, we will provide user Intel proprietary tools to sign the image, and > we have our signature format. > > User need to follow the steps and sign the Images, and call binman to convert > into FIT image. > > I think maybe it is not suitable to incorporate any external proprietary tools > into binman. > > Possibly, although we already have quite a few. Is the tool secret or can it be > downloaded from somewhere? If the latter, see how cbfstool is handled. It is licensed software. > > Regards, > Simon
Hi Siew Chin, On Thu, 7 Jan 2021 at 22:19, Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> wrote: > > Hi Simon, > > > -----Original Message----- > > From: Simon Glass <sjg@chromium.org> > > Sent: Friday, January 8, 2021 11:24 AM > > To: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > > Cc: U-Boot Mailing List <u-boot@lists.denx.de>; Marek Vasut > > <marex@denx.de>; Tan, Ley Foon <ley.foon.tan@intel.com>; See, Chin Liang > > <chin.liang.see@intel.com>; Simon Goldschmidt > > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > > <tien.fong.chee@intel.com>; Westergreen, Dalon > > <dalon.westergreen@intel.com>; Gan, Yau Wai <yau.wai.gan@intel.com> > > Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename in binman node > > of FIT image with VAB support > > > > Hi Slew Elly, > > > > On Thu, 7 Jan 2021 at 17:57, Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > > wrote: > > > > > > Hi Simon, > > > > > > > -----Original Message----- > > > > From: Simon Glass <sjg@chromium.org> > > > > Sent: Friday, January 8, 2021 12:22 AM > > > > To: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > > > > Cc: U-Boot Mailing List <u-boot@lists.denx.de>; Marek Vasut > > > > <marex@denx.de>; Tan, Ley Foon <ley.foon.tan@intel.com>; See, Chin > > > > Liang <chin.liang.see@intel.com>; Simon Goldschmidt > > > > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > > > > <tien.fong.chee@intel.com>; Westergreen, Dalon > > > > <dalon.westergreen@intel.com>; Gan, Yau Wai <yau.wai.gan@intel.com> > > > > Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename in > > > > binman node of FIT image with VAB support > > > > > > > > Hi Siew Chin, > > > > > > > > On Thu, 7 Jan 2021 at 07:13, Lim, Elly Siew Chin > > > > <elly.siew.chin.lim@intel.com> > > > > wrote: > > > > > > > > > > Hi Simon, > > > > > > > > > > > -----Original Message----- > > > > > > From: Simon Glass <sjg@chromium.org> > > > > > > Sent: Thursday, January 7, 2021 8:37 PM > > > > > > To: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > > > > > > Cc: U-Boot Mailing List <u-boot@lists.denx.de>; Marek Vasut > > > > > > <marex@denx.de>; Tan, Ley Foon <ley.foon.tan@intel.com>; See, > > > > > > Chin Liang <chin.liang.see@intel.com>; Simon Goldschmidt > > > > > > <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > > > > > > <tien.fong.chee@intel.com>; Westergreen, Dalon > > > > > > <dalon.westergreen@intel.com>; Gan, Yau Wai > > > > > > <yau.wai.gan@intel.com> > > > > > > Subject: Re: [v2 4/6] arm: socfpga: dts: soc64: Update filename > > > > > > in binman node of FIT image with VAB support > > > > > > > > > > > > On Thu, 7 Jan 2021 at 03:03, Siew Chin Lim > > > > > > <elly.siew.chin.lim@intel.com> > > > > > > wrote: > > > > > > > > > > > > > > FIT image of Vendor Authentication Coot (VAB) contains signed images. > > > > > > > > > > > > > > Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com> > > > > > > > --- > > > > > > > arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi | 22 > > > > > > > ++++++++++++++++++++++ > > > > > > > 1 file changed, 22 insertions(+) > > > > > > > > > > > > > > > > > > > I'm not quite sure what is happening here, but consider using > > > > > > two separate files rather than what looks like a patch over an existing > > one. > > > > > > > > > > > > > > > > There are two boot flow will use binman > > > > > (socfpga_soc64_fit-u-boot.dtsi) to > > > > generate u-boot.fit and kernel.fit: > > > > > 1. socfpga_agilex_atf_defconfig (boot via ATF) > > > > > 2. socfpga_agilex_vab_defconfig (boot via ATF with VAB > > > > > enabled, support authentication on bl31, u-boot, Linux images) > > > > > > > > > > The binman node settings are the same for both flows. With VAB > > > > > enabled, all > > > > inputs file need to be signed before generate FIT image. We would > > > > like to use different input file name to remind user that they need > > > > to sign all bl31, u-boot, Linux images when using binman to generate FIT > > image. > > > > > > > > > > Due to the binman node settings are identical and only the file > > > > > name need to > > > > be different, so we prefer to share the same > > > > socfpga_soc64_fit-u-boot.dtsi for both flows. > > > > > > > > Reviewed-by: Simon Glass <sjg@chromium.org> > > > > > > > > OK I see. > > > > > > > > Who does the signing of the inputs? Is that something binman could/should > > do? > > > > > > In our case, we will provide user Intel proprietary tools to sign the image, and > > we have our signature format. > > > User need to follow the steps and sign the Images, and call binman to convert > > into FIT image. > > > I think maybe it is not suitable to incorporate any external proprietary tools > > into binman. > > > > Possibly, although we already have quite a few. Is the tool secret or can it be > > downloaded from somewhere? If the latter, see how cbfstool is handled. > > It is licensed software. I suggest releasing an open-source, command-line tool as has happened with various other Intel innovations. It is hard for people to include private binary tools in their automated build flow. If it is required to actually boot on the device, then it will be hard for people to incorporate the hardware in test labs. Regards, Simon
diff --git a/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi b/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi index cf365590a8..4b30473743 100644 --- a/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi +++ b/arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi @@ -117,4 +117,26 @@ }; }; +#if defined(CONFIG_SOCFPGA_SECURE_VAB_AUTH) +&uboot_blob { + filename = "signed-u-boot-nodtb.bin"; +}; + +&atf_blob { + filename = "signed-bl31.bin"; +}; + +&uboot_fdt_blob { + filename = "signed-u-boot.dtb"; +}; + +&kernel_blob { + filename = "signed-Image"; +}; + +&kernel_fdt_blob { + filename = "signed-linux.dtb"; +}; +#endif + #endif
FIT image of Vendor Authentication Coot (VAB) contains signed images. Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com> --- arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+)